Deliberate Denial Of Risk? Just 5% Of FTSE100 Has Specialist Tech Experience On Its Board

Business surely understands it needs to beware of DDoS, or "distributed denial-of-service" attacks. A warning from Deloitte suggests we could see 10 million DDoS incidents in 2017. But a survey of all FTSE 100 firms by the professional services firm now reveals that only five companies even mention such forms of cyber attacks in their annual reports.

Deloitte Global has predicted that in 2017 DDoS attacks will "become larger in scale, harder to mitigate (increasing the severity of impact) and more frequent." It "expects there will be on average a terabit per second attack per month this year and over 10 million attacks in total." An average attack size, it says, involves between 1.25 and 1.5 Gbit/s (gigabit per second) of junk data being sent. An unmitigated Gbit/s attack, or one whose impact was not contained, "would be sufficient to take many organizations offline," it says.

A map of the United States displayed on a computer screen shows cyber attacks in real time at the headquarters of Bitdefender, a Romanian cyber security company. March 2015 Octav Ganea/Mediafax via AP

But it also went on to look at the annual report of every FTSE 100 firm published most recently at 30 September 2016. It finds although 87% of companies identify cyber as a "principal risk," "just a handful disclose having a director with specialist technology or cyber security experience." As you can see from the chart below, operational risk includes "business execution risk."

Of the type of cyber attacks disclosed as a threat, unauthorized access to systems ranked most common (19%), followed by hacking (13%) and malware (13%).

“In light of high profile breaches, companies understand more than ever that the event of a cyber attack is not a question of if, but when, by whom and by what degree. The vast majority of FTSE 100 reports acknowledge the principal risk, but our analysis shows there were wide variations in the disclosure of cyber risk management and mitigation strategies. Eleven percent of the reports mentioned the creation of a new role or body to take overall accountability for cyber risk, demonstrating the increased focus on cyber risk in organizations," said Phill Everson, head of cyber risk services, Deloitte U.K.

He commented on the "growing expectation for board involvement in cyber oversight, as evidenced by the 10% of companies that delivered cyber related training to their board." "With the pervasive nature of technology and the focus on cyber risk it is alarming that only one in twenty boards disclose that they currently have board members with specialist technology or cyber background and only a handful more disclose that they have advisors to the board with this experience. This is not sustainable, but also reinforces the importance of disclosing such information to investors," said Mr. Everson.

According to the Deloitte report, the most commonly disclosed potential impacts of cyber breaches in FTSE 100 annual reports are business disruption (68%), reputational damage (58%) and data loss (45%). It is called "governance in focus" because, of course, what boards are doing about cyber security is very much a governance issue. Investors should be asking a lot of questions, based on this information.

That is particularly true as businesses appear to understand the great potential risk of "reputational damage." Just look at the recent goings-on at TalkTalk, the FTSE 100 internet service provider.

The personal data of millions of Britons could be at risk after telephone and broadband provider TalkTalk was hit by a 'significant and sustained' cyberattack, the company said. LEON NEAL/AFP/Getty Images

It was hit with a £400,000 ($499,153) fine by the U.K. Information Commissioner's Office (ICO) for security failings that led to the company being hacked in October 2015. The ICO is the independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The ICO’s in-depth investigation found that "an attack on the company could have been prevented if TalkTalk had taken basic steps to protect customers’ information."

You could argue that the fine was a pittance, although it was a record amount levied by the ICO. But in February 2016, TalkTalk revealed the hack had cost it around £60 million ($75 million) in lost business and "exceptional costs." It was also reported to have lost more than 100,000 customers.

On February 1 this year, TalkTalk CEO Dido Harding announced that she was stepping down. The Guardian reported that she will work just two months of the next financial year but will be paid her full £550,000 ($686,429) salary. "She said that her decision to leave had nothing to do with the cyber-attack, which she said was “ancient history, [there is] no connection at all” reported the paper.

Perhaps it is not surprising after all, that boardrooms do not appear to take cyber security as seriously as might be expected. There have been countless cyber attacks on banks recently, affecting the lives of millions of everyday people.

For cyber security genuinely to be acted upon as a principal risk, and not one disallowed as somehow an "act of God," there has to be accountability for it in the boardroom.

I'm a long-time journalist who never did like to specialize, as I have too many areas of interest in a fast-changing world. I am an independent writer/editor/consultant, an ex-Financial Times journalist and I have been a regular contributor to the FT in recent years. I now w...